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Abstract. In the refinement calculus, monotonic predicate transformers 
are used to model specifications for (imperative) programs. Together 
with a natural notion of simulation, they form a category enjoying many 
algebraic properties. 

We build on this structure to make predicate transformers into a de- 
notational model of full linear logic: all the logical constructions have a 
natural interpretation in terms of predicate transformers (i.e. in terms of 
specifications). We then interpret proofs of a formula by a safety property 
for the corresponding specification. 



Introduction 

The first denotational model for linear logic was the category of coherent spaces 
([!]). In this model, formulas are interpreted by graphs; and proofs by cliques 
(complete subgraphs). This forms a special case of domain a la Scott. 

From a conceptual point of view, the construction of interfaces is a little 
different: first, the model looks a little more dynamic; then, seeds — the notion 
corresponding to cliques — are not closed under substructures; and finally, they 
are closed under arbitrary unions (usually, only directed unions are allowed). 

What was a little unexpected is that the interpretation of linear proofs used in 
the relational model can be lifted directly to this structure to yield a denotational 
model of full linear logic in the spirit of _/hyper/multi-coherence or finiteness 
spaces. 

A promising direction for further research is to explore the links between the 
model presented below and non-determinism as it appears both in the differential 
lambda-calculus ( |2I3| ) and different kind of process calculi. We expect such a 
link because of the following remarks: this model comes from the semantics of 
imperative languages; it can be extended to a model of the differential lambda 
calculus (which can be seen as a variant of "lambda calculus with resource") 
and there is a completely isomorphic category in which predicate transformers 
are replaced by (two-sided) transition systems. In particular, all of the logical 
operations presented below have natural interpretations in terms of processes... 
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1 Relations and Predicate Transformers 

Definition 1. A relation r between two sets is a subset of their cartesian prod- 
uct. We write r"^ for the converse relation: r~ ~ {(6, a) | (a, 6) G r}. 
The composition of two relations r C A x B and r' C B x C is defined by 
r' ■r= {{a,c) \ (3b G B) (a, 6) £ r A (6, c) G r'} . 

If X is a set, Idx denotes the identity on X, i.e. Idx — {(a, a) | a G X}. 

There seems to be three main notions of morphisms between sets. These give 
rise to three important categories in computer science: 

— Set, where morphisms are functions; 

— Rel, where morphisms are (binary) relations; 

— Pow, where morphisms are monotonic predicate transformers. 

One can go from Set to Rel and from Rel to Pow using the same categorical 
construction ([4J) which cannot be applied further. 

Definition 2. A predicate transformer from A to B is a function from ViA) to 
V{B). A predicate transformer P is monotonic if x ^ x' implies P{x) C P[x'). 

From now on, we will consider only monotonic predicate transformers. The ad- 
jective "monotonic" is thus implicit everywhere. 

The term "predicate" might not be the most adequate but the terminology 
was introduced by E. Dijkstra some decades ago, and has been used extensively 
by computer scientists since then. Formally, a predicate on a set A can be iden- 
tified with a subset of A by the separation axiom of ZF set theory; the confusion 
is thus harmless. 

Definition 3. If r is a relation between A and B, we write (r) : P{A) T^{B) 
for the following predicate transformer: ( called the direct image of r) 

{r){x) = {be B \ {3ae A) (a, 6) e r A a £ a;} . 

Note that in the traditional version of the refinement calculus ([5]), our (r) is 
written but this notation clashes with set theoretic notation and would 

make our formulas very verbose with everywhere. 

2 Interfaces 

Several denotational models of linear logic can be seen as "refinements" of the 
relational model. This very crude model interprets formulas by sets; and proofs 
by subsets. It is degenerate in the sense that any formula is identified with 
its linear negation! Coherent spaces ([!]), hypercoherent spaces ([6]), finiteness 
spaces ([7]) remove (part of) this degeneracy by adding structure on top of the 
relational model. We follow the same approach: 

Definition 4. An interface X is given by a set \X\ (called the state spacej and 
a predicate transformer Px on \X\ (called the specification j. 
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The term "specification" comes from computer science, wlrere a specification 
usually takes the form: 

if the program is started in a state satisfying (j), it will 

terminate; and the final state will satisfy ip. 
Such a specification can be identified with the (monotonic) predicate transformer 
ip I— > "biggest such 0" . This point of view is that of the wp calculus, introduced 
by Dijkstra ("wp" stands for "weakest precondition"). Note that the specifica- 
tion "goes backward in time" : it associates to a set of final states (which we want 
to reach) a set of initial states (which guarantee that we will reach our goal) 1^1 

For a complete introduction to the field of predicate transformers in relation 
to specifications, we refer to [5]. 

In the coherence semantics, a "point" is a complete subgraph^ called a clique. 
Since the intuitions behind our objects are quite different, we change the termi- 
nology. 

Definition 5. Let X be an interface, a subset x C \X\ is called a seed of X if 
X C Px{x). We write S{X) for the collection of seeds of X. 

More traditional names for seeds are safety properties, or P-invariant properties: 
if some initial state is in x, no matter what, after each execution of a program 
satisfying specification P, the final state will still be in x. In other words, P 
maintains an invariant, namely "staying in x". In particular, there can be no 
program deadlock when starting from x. 

The collection of cliques in the (hyper)cohcrent semantics forms a c.p.o.: the 
sup of any directed family exists. The collection of seeds in an interface satisfies 
the stronger property: 

Lemma 1. For any interface X, (<S(X),C ^ is a complete sup-lattice. 

Proof. is trivially a seed; and by monotonicity of P, a union of seeds is a seed. 

□ 

The fact that seeds are closed under union may seem counter-intuitive at first; 
but one possible interpretation is that we allow for non-deterministic data. For 
example, all denotational models of linear logic have an object for the booleans: 
its state space is {t, /}, and the cliques are always 0, {t} and {/}. The union of 
{t} and {/} is usually not itself a clique because "one cannot get both true and 
false" . However, if one interprets union as a non-deterministic sum, then {t, /} 
is a perfectly sensible set of data. 

However, nothing guarantees that a seed is the unions of all its finite subseeds; 
a given seed needs not even contain any finite seed!. (The canonical example 
being Px{x) = X, with X infinite.) 

^ In a previous version, interfaces also had to enjoy the property P(0) — and 
P{\X\) — \X\. This condition doesn't interact well with second order interpreta- 
tion and has thus been dropped. 

The intuition is that a set of data is coherent iff it is pairwise coherent. 
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3 Constructions on Interfaces 

A denotational model interprets formulas as objects in a category (and proofs 
as morphisms). We thus need to define all the constructions of linear logic at 
the level of interfaces. The most interesting cases are the linear negation and the 
tensor product (and the exponentials, but they will be treated in section [6]). 

Note that there will always be an "ambient" set A for predicates. We write 
X for the A-complement of x. 

Let X = {\X\,Px) and Y ^ (|F|,Py) be two interfaces; 

Definition 6. The dual of X is defined as (|X|,P^) where Px{x) — Pxix). 
We write it X^ . An antiseed of X is a seed in X-^. 

In terms of specifications, a G P^{x) means "if the program is started in a, and 
if execution terminates, the 6.nal state will be in x". If P is concerned with wp 
calculus, then P^ is concerned with wlp calculus. (Weakest liberal precondition, 
also introduced by Dijkstra.) 

This operation of "negation" is the reason we do not ask for any properties 
on the predicate transformer. It respects neither continuity nor commutation 
properties! In many respects, this operation is not very well-behaved. 

Definition 7. The tensor of X and Y is the interface {\X\ x |y|,Px ® Py) 
where Px ® Py (r) is the predicate transformer 

[j Px{x) X Py(y) . 

a; X y Cr 

We write it X ®Y . 

Px ® Py is the most natural transformer to construct on \X\ x \Y\. It was 
used in [8J to model parallel execution of independent pieces of programs. The 
intuition is the following: a program satisfies Px ® Py if, when you start it 
in the pair (0^,6,^) € Px ® PYir) of initial states, the two final states will be 
related through r. In particular, this means that execution is synchronous: both 
executions need to terminate. 

Definition 8. The with of X and Y is the interface {\X\ + \Y\, Px SzPy) where 
Px & PyIx, y) = (Pxix), PY{y)) We write itXkY. 

This operation is not very interesting from the specification point of view: it is 
a kind of disjoint union. 

Definition 9. The other connectives are defined as usual: 

- = (0,ld); T = 0^; 1 = {{*},Id); ^ = 1^/ 

- X®Y (plus) IS the interface {X^ k Y^)^ ; 



^ it uses implicitly the fact that P(\X\ + \Y\) ~ V{\X\) x V{\Y\) 



5 



- X^Y (par) is the interface {X^ Y^) ; 

- X -oY is the interface X-'- ^ Y. 

We have: 

Lemma 2. ± = 1; T = and X ®Y = X ^Y . 

The proof is immediate. The first two equahties are satisfied in several of the 
denotational models of LL; the second one is a little less common. (For example, 
it is satisfied in finiteness spaces, but in no ...-coherence spaces.) 

As an application of the definitions, let's massage the definition of ^ — o B into 
something readable: 
(a, b) eA^ B{r) 

<^4> { definition } 
(a, 6) e {A^^B){r) 

<S=> { definition, involutivity of } 
(a, 6) e {A®B^)^{r) 

{ definition of J- } 
(a, 6) ^A®B^{r) 

{ definition of Cg) } 
-■((3a: X y C f) a e A{x) Abe B^{y)) 

^ { logic } 
(Va; X 2/ C r) a ^ A{x) V 6 ^ B^{y) 

^ { logic } 
{Vx xy Cf) a€ A{x) 6 G B{y) 

<^ { lemma: x X y <Zr iS {r)x C y } 
(V(r)a; C y) a e A{x) ^be B{y) 

<S=> { change of variable: y i-^y } 
(V(r)a: Cy) ae A{x) 6 e B{y). 

From this, we derive: 

Lemma 3. (a, 6) G A^B{r) iff a € A{x) ^ 6 G B{{r)x) for all x ^ \X\. 

For any interface X , 'i-<^\x\ £ S{X —o X). 

The shapes of images along X ^Y are usually difhcult to visualize, but we 
have the following on "rectangles" : 

Lemma 4. Let X and Y be interfaces; then for all x C \X\ and y C |y| we 
have: Px O Py{x xy) = Px{x) x Py(y) C Px ^ Py{x x y). 

Proof. That Px ® Py{x x y) = Px{x) x Pyiy) is straightforward. 

Suppose now a G Px{x) and b G Pyiv), let's show that (a, b) G Px ^ Py{x x y): 
suppose x' X y' C x x y 

{ claim (see below) } 
X C x' y y C y' 

=^ { monotonicity } 
aGPx(^) V6GiV(7)- 
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Claim: x'xy'Cxxy^xCx'\/yCy' 
Proof of claim: suppose -'{x C a;') A -^{y C y') 

^xr\x'^l!)Ayny'^^ 

^xxynx'xy'^$ 

^ X y' C X X y). □ 

Furthermore, seeds in A and B are related to seeds in A® B and A^ B m. 
the foUowing way: 

Lemma 5. Let A and B he interfaces. We have: 

(i) if X e S{A) and y £ S{B) then x x y e S{A ® B); 

(ii) ifxe S{A) and y e S{B) then xxy£ S{A ^ B). 

Proof. The first point is obvious; the second point is a direct consequence of 
Lemma S) □ 



4 Linear Proofs and Seeds 

The previous section gave a way to interpret any hnear formula _F by a interface 
F* . (When no confusion arises, F* is written F.) We now interpret linear proofs 
of F as subsets of the state space of F* I We refer to [1] or the abundant literature 
on the subject for the motivations governing those inference rules. 



(1) If TT is then tt* = {*}; 

h 1 



(2) if TT is then tt* = 0; 

hr,T 

TTl h 7^ 

(3) if TT is then tt* = U7, *) | 7 G ttJ" [; 

TTl h A, S 

U)\i TTifi then TT* = {(7, (a,5)) I (7,a,6) e TT*); 

hr,A^B 



(5) if TT is 



TTl h r, A 112^ A, B 



r,A,A®B 



then TT* = ttJ" ® TTj = { (7, (5, (a, b)) \ (7, a) g ttJ" A ((5, h) G ttj } ; 



(6) Hit is ■ then ^* - { (7, (1, a)) | (7, a) G < }; 

^r,A®B 



recall that a sequent Ai, . . . A„ is interpreted by j4i ^ . . . A„ and the notation tt 'r F 
means "tt is a proof of sequent F" 
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^7; if TT is then TT* = { (7, (2, 6)) I (7, 6) G } ; 



(8) if TT is 



(9) if TT is 



TTi h A 712 h r,B 
h r,AkB 

then ^* is {(7,(l,a))|(7,a) e7ri*}u{(7,(2,6))|(7,6) G ttj*}; 



then TT* = {(7,5) I (3a) (7,0) G tt^ A {S,a) G tt^}. 

This interpretation is correct in the foUowing sense: 

Proposition 1. If it a proof of F, then n* is a seed in F* . 

Proof. By induction on the structure of tt: we will check that seeds propagate 
through the above constructions. It is mostly trivial computation, except for two 
interesting cases: 

(5): suppose that tti is a seed in F^ A and that 7r2 is a seed in B. We need 
to show that tti (g) 7r2 = { (7, 5, (a, 6)) | (7, a) G tti A [5, &) G 7r2} is a seed in the 
sequent r^Z\25'(A®S). 
Let (7, (5, (a, b)) G tti (g) 772 

(7, a) G TTi and (5, h) G 7r2 

=^ { TTi and 772 are seeds in _r, A and Zi, B } 
(7, a) G r, A(7ri) and (5, 112) G Z\, ^(772). 
By contradiction, let (7, (5, (a, 6)) ^ _r, Z\, A -B(7ri 772) 

(7, (5, (a, 6)) G r-L (g) Z\-L (A B)^(7ri (g)7r2) 

{ for some uxt;xrC7ri®7r2: } 
7 G F^{u) ^5c,A^{v)^ (a, 6) G (A ® B)-L(r) 

...A (^(V.T X y C r) a G A-^{x) V 5 G B^{y)j . 

In particular, define a; = {'!Ti)u and y = {1^2)^] it is easy to show that x x y Cr, 
so that we have a G A-*" (x) or & G B-^ (y) . 

Suppose a G A-^ (x) : we have 7 G -T^ (u) and u x x C 717 (easy lemma) ; so by 
definition, (7,0) G F^ (g) A-*- (ttT) , i.e. (7,0) ^ A(7ri)! This is a contradiction. 
Similarly, one can derive a contradiction from b G B-^ (y) . 
This finishes the proof that tti (g) 7r2 is a seed oi F, A, A ® B. 

(9): let TTi be a seed in _r, A = P-'- A and 7r2 a seed in A, A^ , i.e. 7r^ is a seed 
in j4 — o Z\. Let's show that tt = | (7, (5) | (3a) (7, a) G tti A [5, a) G 7r2 } = tt^ ■ 7ri 
is a seed in F,A. 

Suppose (7, 5) G 71^" • TTi, i.e. that (7, a) G tti and (a, (5) G ttJ" for some a. We will 
prove that (7, 5) is in F, ^(7r) = /^^ ^ ^(''')- According to Lemma [3l we need 
to show that if 7 G F^(u) then 5 'E A{{ti)u). 
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Let 7 e r^{u) 

^ { (7, a) G TTi C ^A{tti) } 
a e A((7ri}M) 

{ {a,5) e <^ A{n2) } 



5 Morphisms, Categorical Structure 

To complete the formal definition of a category of interfaces, we need to define 
morphisms between interfaces. This is done in the usual way: 

Definition 10. A linear arrow from X to Y is a seed in X —oY . 

Here is a nicer characterization of linear arrows from X to Y: 

Lemma 6. r e S{X ^Y) iff {r){Px{x)) C Py((r)(x)) for all x C \X\. 

Proof. Suppose r is a seed in X ^Y , let h £ {r)Px{x) 

there is some a s.t. (a, b) € r and a e Px{x) 

{ r is a seed in X — o F } 
(a,&) e Px^Pvir) 

^ { definition of -o } 
h e PY{{r)x). 

Conversely, suppose {r)Px{x) C PY{r){x); let {a,b) e r, and a G Px(a;). We 
have 6 G {r)Px{x), and by hypothesis, G PY{{r)x). □ 

Lemma 7. // r G 5(X ^ F) and r' G iS(r ^ Z) then r' ■ r e S{X Z). 

Proof. This is the essence of point (9) from Proposition [TJ or a simple corollary 
to Lemma [H □ 

Taken together with Lemma [31 this makes interfaces into a category: 

Definition 11. We write Int for the category with interfaces as objects and 
linear arrows as morphisms. 

This category is an enrichment of the usual category Rel. The construction 
can be summarized in the following way: 

Lemma 8. Int is obtained by lifting Rel through the following specification 
structure ('91): 

- if X is a set, Prx = V{X) V{X); 

- if r C X xY, P ePrx and Q e Pry, then P{r}Q iff {r) ■ P C Q ■ (r). 
Let's now turn our attention to the structure of this category: 
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Lemma 9. In Int, T is terminal and & is the cartesian product. 

Proof. This is immediate. □ 

Lemma 10. _^ is an involutive contravariant functor. 

Proof. Involutivity is trivial; contravariance is only slightly trickier: 
r is a seed in A ^ B 
{ Lemma [6] } 
{r)A{x) C B{r)x 



B{r)x C {r)A{x) 
<^4> { lemma: y C {r)x iff {r^)y C x } 
{r~)B{r)x C 

=^ { in particular, for x of the form (r~)3;; we have ?e C (r-)(r~)3:: (lemma) } 
Vx (r'^)S^(x) C A^{{r~)x) 

i.e. r'^ is a seed in ^ A-^. The action of on morphisms is just _~. □ 

Corollary 1. Int is autodual through is initial; and © is the coproduct. 

It is now easy to see that linear arrows transform seeds into seeds, and, in the 
other direction, antiseeds into antiseeds: 

Proposition 2. Suppose r is a linear arrow from X to Y : 

(i) (r) is a sup-lattice morphism from S{X) to S{Y); 

(ii) (r~) is a sup-lattice morphism from S{Y^) to S{X^). 

Proof. Let r G S{X -o Y) and x C X{x); we want to show that {r)x C Y{{r)x). 
Let b G {r)x 
<^ 

(3a) (a, 6) G r A a e a; 

=4> { r is a seed m X —oY ^ 
(3a) (a, 6) e X ^ r(r) AaGx 

^ { definition of X -o y with the fact that {r)x C {r)x } 
6 G Y{{r)x). 

Showing that (r) commutes with sups is immediate: it commutes with arbitrary 
unions, even when the argument is not a seed. 

The second point follows because r"' G S(Y^ -o X-^). □ 

Lemma 11. [^] is a categorical tensor product with neutral element 1 /LL/. 

Proof. We need to show the bifunctoriality of ®. This was actually proved in 
the previous section (Proposition [U point (5)). The bifunctoriality of ^ follows 
by duality; and the rest is immediate. □ 

As a summary of this whole section, we have: 

Proposition 3. Int is a ^-autonomous category. (In particular, Int is symmet- 
ric monoidal closed.) 
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Proof. This amounts to checking trivial equahties, in particular, that the follow- 
ing diagram commutes: (where d is the natural isomorphism X ~ X ''-''-) 



X 



■Y^ ^X^ 



X^^ -oY 



±± 



It is immediate because d = Id and 



□ 



6 Exponentials 

The category Int is thus a denotational model for multiplicative additive linear 
logic. Let's now add the exponentials IX and 7X. 

Unsurprisingly, we will use finite multisets; here are the necessary definitions 
and notations: 

Definition 12. Let S be a set; 

~ if (si)iG/ and (tj)j^j are finite families on S, say (si) ~ (tj) iff there is a 
bijection a from I to J such that s,; = tg.(j) for all i in I . 

— A finite multiset over S is an equivalence class of c^. We write [si] for the 
equivalence class containing (si). 

— A4f{S) is the collection of finite multisets over S. 

— Concatenation of finite familie^ can be lifted to multisets; it is written +. 

— Ifx and y are two subsets of S, we write x*y for the set {[a,b] | a G x/\b G y}. 
Its indexed version is written riig/^^i/ *s a kind of commutative product. 

— If U and V are two subsets of M.f{A), the set {u + v \ u G U A v G V} is 
written U *V (same symbol, but no confusion arises). 

Definition 13. For X = {\X\,P), define \X = {Mf{\X\),\P) where 
[ai,...a„] e ^ {3{x^)l<^<n) \~\xi <ZU A {"^i = I, . . .n) a^ P{xi) 

i 

Let 7X={liX^))^. 

Recall that a multiset [oi] is in \~\xi iff there is a bijection a s.t. Vi,ai G Xa-{i). 

A useful intuition is that [ai, . . .] G ^-PiU) iff [ai, . . .] is in a "weak infinite 
tensor" ®„-^®"(C^)- In terms of specifications and programs, it suggests multi- 
threading: for an initial state [oi, . . . a„], start n occurrences of the program in 
the states oi,. . . a„; the final state is nothing but the multiset of all the n final 
statesH The "weak" part means that we forget the link between a particular 
final state and a particular initial state. 

Note that this is a "non-uniform" model in the sense that the web of IX 
contains all finite multisets, not just those whose underlying set is a seed. It is 
thus closer to non- uniform (hyper)coherence semantics (see [10] or [11]) than to 
the traditional (hyper)coherence semantics. 

^ defined on the disjoint sum of the different index sets 

® The interpretation of !, like that of (8 is a synchronous operation. 
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Let's prove a simple lemma about the exponentials: 
Lemma 12. Suppose U C M.f{\A\): 

(i) [a] G \A{U) iff there is some x "included" in U (i.e. E x [a] G U ) s.t. 
a e A{x); 

(ii) l + l' & \A{U) iff there are V *V' <Z U _s.t. I e \A{V) and I' e \A{V'); 
(Hi) [a] £ 7A(IJ) iff for all x "included" in U , a G A{x); 

(iv) l + l' e 7A{U) iff for allV CU, I e 7A{V) or I' e 7A{V'). 

Proof. The first point is immediate and the second is left as an exercise. The 
third and last point are consequences of the definition of ? in terms of !. □ 

Define now the interpretation of proofs with exponentials: 
(W)\i'K\s. ^- then TT* = 1(7, [a]) I (7.0) e ttT); 

('iijifTTis then TT* = {(7, []) I 7 G ttJI; 

h r,iA 

TTi h r, lA, lA 

(12)iiTiis ■ ■ then TT* = {(7,; + r) I (7,/,/') G Trjfj; 

h r, ?A 



(13) if TT is 



TTi h ?r, A 



h ?r, \A 

then we define (71, . . . 7/, [ai . . . a„]) G tt* if for each j = 1, . . J, there is 

a partition 7^ = ^i<i<n^] ^'^'^ following holds: for each i = 1, . . .rt, 
(7j,...7*,ai) GTTi*. 

Proposition 4. If it a proof of h F, then tt* is a seed of F. 

Proof. Points (10) and (11) are immediate. 

(12): suppose tti is a seed F, 7 A, 7 A and let (7, 1 + I') be an element of tt. 
By contradiction, suppose that (7, 1 + V) ^ F, ?A(7r) 

<J4> { for some u x U C vf } 

7 G r-L(u) A/ + r G \A^{u) 

^ { Lemma [T2I} 
7 G r-L(ii) A (3V^ * r C [/) / G A r G lA^iV) 

=^ { lemma: 
7 G r^(w) A ; G lA^iV) A /' G 

{j,lJ')eF^®\A-^®\A^{WT) 
<^ 

(7, Z, ^ ?A, ?74(7ri), which contradicts the fact that tti is a seed in T, 7 A, 7 A. 
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(13): suppose that F contains only one formula B. The general case will follow 
from a lemma proved below (Lemma [T3|) . Suppose that tti is a seed in IB, A; 
let (/, [ai, . . . a„]) be in tt, i.e. {li,ai) G vri for i — for some partition 

{li,...ln) of L 

Suppose by contradiction that {I, [ai . . . a„]) ^ 75, [^(tt) 
<^ 

(Z,[ai,...a„]) e 

{ for some U x V C tt } 
/ e IB^{U) A [ai,...a„] £ 
^ { definition of ?^ } 

I e \B^{U) A ((V(a;,)) ^ (3^) a, £ A{xl)^ 

^ { Lemma [T^ for /: for some (t/i) s.t. fli ^ } 
(Vz) e A ((V(:e,).) n. a;, C F ^ (3z) . . . 

=^ { define Xi — {■Ri)Ui\ lemma: fli ^» 5= ^ } 

((Vz) U e ([/,)) A ({3i) a, e 

{ lemma: I7i x Xi C ttT } 
(3z) (3t/, X X, CTri)ke IB^iU.,) A a, G A{xl) 
<^ 

{k,ai) e A^(¥r) 
<=^> 

(lijai) ^ which contradicts the fact that tti is a seed in IB, A. □ 

Lemma 13. For a/Z interfaces X and Y, we have l(X & F) = !X (g) lY . 

Proof. The state spaces are isomorphic via A^/(|X| + |F|) ~ Mf{\X\)xMfi\Y\). 
We will use this transparently, for example Ix + Iy & R {Ix, ly) € R. This is 
possible because the sets are disjoint: we can always split a multiset in x*y into 
two multisets in x and y. (In other words: if x Hy — then x*y~xy.y.) 

Notice also that (1, a) S X & Y{x, y) <^ a € X{x) so that when considering a 
particular element oi X + Y{x,y), only one part of the argument (a;, y) is really 
important; the other can be dropped (or replaced with 0). 

C: suppose [ai,...a„] + [bi,...hj\ £ \{X kY){R) 

<^ { for some {xi)i=i...„ and (?/j)^=i...„ } 
n. ^^ * Hj ^ A (Vi) a, e X(a;0 A (Vj)6j G Y{yj) 

^ { define [/' = fl, and V = % } 
(3C/' xV CR) [ai] e !X(i7') A [bj] e !r(V^') 

([ai,...a„],[6i,...6„,]) e \X®\Y{R). 

D: suppose ([oi, . . .a„], [hi, . . .6,„]) E IX ^ 
^ { for some U' x V C R } 

[ai,...a„] e \xiu')A[b,,...b^] e !y(y') 

{ for some (a;^) s.t. \~\xi CU' and (j/j) s.t. flyj — } 
(Vz) a, e X(a;,) A (Vj) 6j G ^(2/,) 

=^ { n, X n, C (7 X V and thus fl. * fl, J/j^ -R } 
[ai,...a„] + [5i,...6™] □ 
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This allows us to transform any sequent IF ~ IBi ^ . . . ?i?„ into l{Bi © . . . i?„), 
and thus, formally ends the proof of Proposition 2] point (13). 

7 Linear Interfaces and Linear Seeds 

What is the structure of those interfaces that come from a linear formula? The 
answer is unfortunately trivial: 

Proposition 5. If F is a linear formula, then Pp = Id-p|^|. 

Proof. Immediate induction. Let's treat the case of the exponentials: 
suppose F{x) = x; suppose moreover that [oi, . . . a„] € U 

Ui G F{{ai}) for aU i and fliai} = {[ai, . . . a„]} C U 

[ai,...a„] G IF{U) 

Similarly, suppose [ai, . . . a„] G ^■F{U) 

each Oi G F{xi) — Xi for some {xi) s.t. Y^Xi QU 

^ { [ax, . . .an] £[]xi } 
[ai, . . . an] G [/. □ 

In particular, every subset of |F| is a clique and an anticlique: the situation 
is thus quite similar to the purely relational model. In the presence of atoms 
however, interfaces become much more interesting. 

Adding atoms is sound because the proof of Proposition [1] doesn't rely on 
the particular properties of interfaces. Note that we need to introduce a general 
axiom rule and its interpretation: 



(li) if TT is then tt* = ld\x\ = {(a, a) \ a £ \X\}. 

This is correct in the sense that tt* is always a clique vn X ^ . 

With such atoms, the structure of linear interfaces gets non trivial^ For 
example, let's consider the following atom X = ({-, +}, P) defined by: 

- P(0) = and P{\X\) = \X\; 

Pi{+}) - {-} and = {+}. 

This is the simplest example of an interesting interface, and corresponds to a 
"switch" specification. (Interpret - as "off" and + as "on".) 

Lemma 14. if P is the above .specification: 

(^) = P; 

(ii) P ■ P ^ Id; 



We can extend this to a model for fl^ logic, and even to full second order, see [12j . 
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M -{0, {+,-}} ; 

M {(+,-),(-,+)} e5(x®x). 

Proof. This is just trivial computation... 



□ 



Point (iv) shows in particular that a seed va X ®Y needs not contain a 
product of seeds in X and Y . (Compare with Lemma [H) 

The hierarchy generated from this single interface is however still relatively 
simple: call a specification deterministic if it commutes with non-empty unions 
and intersections. 

Lemma 15. Let F be any specification constructed from the above P and the 
linear connectives. Then F is deterministic. Moreover, F is of the form (/) 
where f is an obvious bijection on the state space of F\^n 

A less trivial (in the sense that it is not deterministic) specification is the 
following: if X is a set, magicjf (x) = X. In terms of programming, the use of 
the magic command allows to reach any predicate, even the empty one! 

Lemma 16. Id|x| £ rnagic^ -o magicx(Id|x|) if X 

Thus we cannot strengthen the definition of seeds to read "x = P{xy^ without 
imposing further constraints on our specifications. It is still an open question 
to find a nice class of predicate transformers for which it would be possible. 
(However, considerations about second order seem to indicate that strengthening 
the definition of seeds in such a way is not a good idea.) 

In the case with atoms, because the structure of seeds (sup-lattice) is quite 
different from the structure of cliques in the ...-coherent model (domain), it is 
difficult to relate seeds and cliques. In particular, a seed needs not be a clique 
(since the union of arbitrary cliques is not necessarily a clique); and a clique 
needs not be a seed (since a subset of a seed is not necessarily a seed). 



Conclusion 

One aspect which was not really mentioned here is the fact that linear arrows 
from A to B are equivalent to the notion of forward data refinement (Lemma [6]) 
from the refinement calculus. In particular, a linear proof of A ^ _B is a proof 
that specification B implements specification A. It would interesting to see if any 
application to the refinement calculus could be derived from this work. In the 
same direction, trying to make sense of the notions of backward data refinement, 
or of general data refinement in terms of linear logic could prove interestingly 

1° where (f){x) = {/(a) \ a £ x} 

A data refinement from specification F to specification G is a predicate transformer 
P s.t. P ■ F <Z G ■ P; a forward [resp. backward] data refinement is a data refinement 
which commutes with arbitrary unions [resp. arbitrary intersections]. 
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The fact that this model is degenerate in the propositional case is disappoint- 
ing, but degeneracy disappear when we consider fl^ logic, and a fortiori when we 
consider full second-order (see [T2]). The point of extending this propositional 
model to fl^ is to remove the dependency on specific valuations for the atoms 
present in a formula. 

One the interesting consequences of this work is that a a proof of a formula _F 
gives a guarantee that the system specified by the formula F can avoid dead- 
locks seems to point toward other fields like process calculi and similar models 
for "real" computations. This direction is currently being pursued together with 
the following link with the differential lambda-calculus ( 2 ): one property of 
this model which doesn't reflect any logical property is the following; we have a 
natural transformation A —o\A called co- dereliction, which has a natural inter- 
pretation in terms of differential operators on formulas (see [3]). Note that such 
a natural transformation forbids any kind of completeness theorem, at least as 
far as "pure" linear logic is concerned. 
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